usr/src/lib/pam_modules/rhosts_auth/rhosts_auth.c

   1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License, Version 1.0 only
   6  * (the "License").  You may not use this file except in compliance
   7  * with the License.
   8  *
   9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  10  * or http://www.opensolaris.org/os/licensing.
  11  * See the License for the specific language governing permissions
  12  * and limitations under the License.
  13  *
  14  * When distributing Covered Code, include this CDDL HEADER in each
  15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  16  * If applicable, add the following below this CDDL HEADER, with the
  17  * fields enclosed by brackets "[]" replaced with your own identifying
  18  * information: Portions Copyright [yyyy] [name of copyright owner]
  19  *
  20  * CDDL HEADER END
  21  */
  22 /*
  23  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
  24  * Use is subject to license terms.
  25  */
  26
  27 #pragma ident   "%Z%%M% %I%     %E% SMI"
  28
  29 #include <sys/param.h>
  30 #include <security/pam_appl.h>
  31 #include <security/pam_modules.h>
  32 #include <pwd.h>
  33 #include <shadow.h>
  34 #include <string.h>
  35 #include <rpc/types.h>
  36 #include <rpc/auth.h>
  37 #include <locale.h>
  38 #include <crypt.h>
  39 #include <syslog.h>
  40
  41 extern int ruserok(const char *, int, const char *, const char *);
  42
  43 /*
  44  * pam_sm_authenticate  - Checks if the user is allowed remote access
  45  */
  46 /*ARGSUSED*/
  47 int
  48 pam_sm_authenticate(
  49         pam_handle_t    *pamh,
  50         int     flags,
  51         int     argc,
  52         const char      **argv)
  53 {
  54         char *host = NULL, *lusername = NULL;
  55         struct passwd pwd;
  56         struct passwd *pwdp;
  57         char pwd_buffer[1024];
  58         int     is_superuser;
  59         char    *rusername;
  60         int     i;
  61         int     debug = 0;
  62
  63         for (i = 0; i < argc; i++) {
  64                 if (strcasecmp(argv[i], "debug") == 0)
  65                         debug = 1;
  66                 else
  67                         syslog(LOG_DEBUG, "illegal option %s", argv[i]);
  68         }
  69
  70         if (pam_get_item(pamh, PAM_USER, (void **) &lusername) != PAM_SUCCESS)
  71                 return (PAM_SERVICE_ERR);
  72         if (pam_get_item(pamh, PAM_RHOST, (void **) &host) != PAM_SUCCESS)
  73                 return (PAM_SERVICE_ERR);
  74         if (pam_get_item(pamh, PAM_RUSER, (void **)&rusername) != PAM_SUCCESS)
  75                 return (PAM_SERVICE_ERR);
  76
  77         if (lusername == NULL || *lusername == '\0')
  78                 return (PAM_USER_UNKNOWN);
  79         if (rusername == NULL || *rusername == '\0')
  80                 return (PAM_AUTH_ERR);
  81         if (host == NULL || *host == '\0')
  82                 return (PAM_AUTH_ERR);
  83
  84         if (debug) {
  85                 syslog(LOG_DEBUG,
  86                         "rhosts authenticate: user = %s, host = %s",
  87                         lusername, host);
  88         }
  89
  90         getpwnam_r(lusername, &pwd, pwd_buffer, sizeof (pwd_buffer), &pwdp);
  91         if (!pwdp)
  92                 return (PAM_USER_UNKNOWN);
  93
  94         if (pwd.pw_uid == 0)
  95                 is_superuser = 1;
  96         else
  97                 is_superuser = 0;
  98
  99         return (ruserok(host, is_superuser, rusername, lusername)
 100                 == -1 ? PAM_AUTH_ERR : PAM_SUCCESS);
 101
 102 }
 103
 104 /*
 105  * dummy pam_sm_setcred - does nothing
 106  */
 107 /*ARGSUSED*/
 108 int
 109 pam_sm_setcred(
 110         pam_handle_t    *pamh,
 111         int     flags,
 112         int     argc,
 113         const char      **argv)
 114 {
 115         return (PAM_IGNORE);
 116 }